Add trustCACert part in oci-native-ingress.oraclecloud.com/mutual-tls…

…-authentication

Signed-off-by: george <xiangzhihua@gmail.com>

pkg/controllers/ingress/ingress.go

@@ -375,7 +375,7 @@ func (c *Controller) ensureIngress(ingress *networkingv1.Ingress, ingressClass *
 
 		// listenerSslConfig.VerifyPeerCertificate
 
-		mode, deepth := stateStore.GetMutualTlsPortConfigForListener(port)
+		mode, deepth, trustcacert := stateStore.GetMutualTlsPortConfigForListener(port)
 		mtlsPorts := stateStore.IngressGroupState.MtlsPorts
 		klog.Infof("  GetMutualTlsPortConfigForListener **********   mtlsPorts :  %s ", util.PrettyPrint(mtlsPorts))
 
@@ -384,16 +384,23 @@ func (c *Controller) ensureIngress(ingress *networkingv1.Ingress, ingressClass *
 			// listenerSslConfig.VerifyDepth
 			listenerSslConfig.VerifyPeerCertificate = common.Bool(true)
 			listenerSslConfig.VerifyDepth = &deepth
-			caBundleId, _ := CreateOrGetCaBundleForBackendSet(ingress.Namespace, artifact, c.defaultCompartmentId, c.client)
-			if err != nil {
-				klog.Infof(" CreateOrGetCaBundleForBackendSet ********** CreateOrGetCaBundleForBackendSet  port :  %s ", port)
-				return err
-			}
-			if caBundleId != nil {
-				caBundleIds := []string{*caBundleId}
+
+			// check wethear the trustcacert is valid ca bundle
+			if isTrustAuthorityCaBundle(trustcacert) {
+				caBundleIds := []string{trustcacert}
 				listenerSslConfig.TrustedCertificateAuthorityIds = caBundleIds
 			}
 
+			// caBundleId, _ := CreateOrGetCaBundleForBackendSet(ingress.Namespace, artifact, c.defaultCompartmentId, c.client)
+			// if err != nil {
+			// 	klog.Infof(" CreateOrGetCaBundleForBackendSet ********** CreateOrGetCaBundleForBackendSet  port :  %s ", port)
+			// 	return err
+			// }
+			// if caBundleId != nil {
+			// 	caBundleIds := []string{*caBundleId}
+			// 	listenerSslConfig.TrustedCertificateAuthorityIds = caBundleIds
+			// }
+
 		}
 		klog.Infof("  GetMutualTlsPortConfigForListener  after :  %s ", util.PrettyPrint(listenerSslConfig))
 
@@ -522,7 +529,7 @@ func syncListener(namespace string, stateStore *state.StateStore, lbId *string,
 		}
 
 		var port = int32(*listener.Port)
-		mode, deepth := stateStore.GetMutualTlsPortConfigForListener(port)
+		mode, deepth, trustcacert := stateStore.GetMutualTlsPortConfigForListener(port)
 		mtlsPorts := stateStore.IngressGroupState.MtlsPorts
 		klog.Infof("  syncListenerr  mtlsPorts :  %s ", util.PrettyPrint(mtlsPorts))
 
@@ -538,16 +545,23 @@ func syncListener(namespace string, stateStore *state.StateStore, lbId *string,
 			if mode == util.MutualTlsAuthenticationVerify {
 				listener.SslConfiguration.VerifyPeerCertificate = common.Bool(true)
 				listener.SslConfiguration.VerifyDepth = &deepth
-				caBundleId, _ := CreateOrGetCaBundleForBackendSet(namespace, artifact, c.defaultCompartmentId, c.client)
-				if err != nil {
-					klog.Infof(" syncListener  CreateOrGetCaBundleForBackendSet  port :  %s ", port)
-					return err
-				}
-				if caBundleId != nil {
-					caBundleIds := []string{*caBundleId}
+
+				// check wethear the trustcacert is valid ca bundle
+				if isTrustAuthorityCaBundle(trustcacert) {
+					caBundleIds := []string{trustcacert}
 					listener.SslConfiguration.TrustedCertificateAuthorityIds = caBundleIds
 				}
 
+				// caBundleId, _ := CreateOrGetCaBundleForBackendSet(namespace, artifact, c.defaultCompartmentId, c.client)
+				// if err != nil {
+				// 	klog.Infof(" syncListener  CreateOrGetCaBundleForBackendSet  port :  %s ", port)
+				// 	return err
+				// }
+				// if caBundleId != nil {
+				// 	caBundleIds := []string{*caBundleId}
+				// 	listener.SslConfiguration.TrustedCertificateAuthorityIds = caBundleIds
+				// }
+
 			} else {
 				listener.SslConfiguration.VerifyPeerCertificate = common.Bool(false)
 				listener.SslConfiguration.VerifyDepth = common.Int(1)

pkg/state/ingressstate.go

@@ -42,9 +42,10 @@ type TlsConfig struct {
 	Type     string
 }
 type MutualTlsPortConfig struct {
-	Port  int32  `json:"port"`
-	Mode  string `json:"mode"`
-	Depth int    `json:"depth,omitempty"`
+	Port        int32  `json:"port"`
+	Mode        string `json:"mode"`
+	Depth       int    `json:"depth,omitempty"`
+	TrustCACert string `json:"trustcacert"`
 }
 type StateStore struct {
 	IngressClassLister networkinglisters.IngressClassLister
@@ -335,12 +336,12 @@ func (s *StateStore) GetTLSConfigForListener(port int32) (string, string) {
 // 	return MutualTlsPortConfig{}
 // }
 
-func (s *StateStore) GetMutualTlsPortConfigForListener(port int32) (string, int) {
+func (s *StateStore) GetMutualTlsPortConfigForListener(port int32) (string, int, string) {
 	portMtlsConfig, ok := s.IngressGroupState.MtlsPorts[port]
 	if ok {
-		return portMtlsConfig.Mode, portMtlsConfig.Depth
+		return portMtlsConfig.Mode, portMtlsConfig.Depth, portMtlsConfig.TrustCACert
 	}
-	return "", 0
+	return "", 0, ""
 }
 
 func (s *StateStore) GetTLSConfigForBackendSet(bsName string) (string, string) {

pkg/state/ingressstate_test.go

@@ -466,7 +466,7 @@ func TestMtlsAuthVerifyPortConfig(t *testing.T) {
 	err := stateStore.BuildState(&ingressClassList.Items[0])
 	Expect(err).NotTo(HaveOccurred())
 
-	mode, deepth := stateStore.GetMutualTlsPortConfigForListener(943)
+	mode, deepth, _ := stateStore.GetMutualTlsPortConfigForListener(943)
 
 	Expect(mode).Should(Equal(util.MutualTlsAuthenticationVerify))
 	Expect(deepth).Should(Equal(1))

pkg/state/validate-mutual-tls-authentication.yaml

@@ -10,7 +10,7 @@ metadata:
   name: ingress-mutual-authentication-annotation-one
   namespace: default
   annotations:
-    oci-native-ingress.oraclecloud.com/mutual-tls-authentication: '[{"port": 80, "mode": "passthrough"}, {"port": 943, "mode": "verify","depth":1 }]'
+    oci-native-ingress.oraclecloud.com/mutual-tls-authentication: '[{"port": 80, "mode": "passthrough"}, {"port": 943, "mode": "verify","depth":1 ,"trustCACert" : "ocid1.cabundle.oc1.phx.amaaaaaacuco5yqaiwnnqo54ffsumwoxjxtgwtvyyau3dv7gyeisykfavzta" }]'
 spec:
   rules:
   - http: